When we celebrated our $21 million Series A back in October, we committed to releasing three core features on our roadmap – and we’re proud to announce that all three are live: Self Service, our API, and as of today’s release, single sign-on (SSO) for Kandji admins.
SSO for Kandji admins
Today’s release of SSO unlocks the ability to enforce specific auth workflows for Kandji admins logging into the Kandji web app, simplifying password management and enforcing secure access for admins managing your devices with Kandji.
This release supports three primary frameworks:
- Google Workspace
- Office 365 / Azure Active Directory
- SAML: A common framework in identity management that allows you to set up custom connections with other providers
Once an SSO connection is configured and established, you can choose to enforce authentication through your SSO provider by hiding the existing social login buttons and the email/password option, giving the admin only a single, secure method for signing in (this is optional, not required).
We took a unique approach to our implementation of SAML by enabling an unlimited number of SAML connections. We’ve heard from customers that this will enable you to support partners, managed service providers, or more complex environments without having to limit sign-in options.
We also support advanced SAML functions such as Single Logout (SLO), a more robust security measure which will log users out of their IdP if they log out of Kandji. We also support encrypted SAML assertions and IdP or SP initiated authentication flows.
Future versions will support pre-built connections with other providers such as Okta, OneLogin, and more. This release of SSO is also laying the groundwork to support Enrollment Customization.
Note: SSO is available upon request only, so please reach out to us if you’re interested. It will be included at no additional cost for customers in the 500 device tier and above. It will be available as an add-on for customers in lower tiers at $150/month, billed annually. See our pricing page for details.
For more information, read our SSO knowledge base article.
SSO for admins vs. end users
We know there can be confusion around the difference between SSO for Kandji admins logging into our web app and SSO for end users. SSO for your end users usually refers to Enrollment Customization, which is a customized web page that appears during Setup Assistant and can require employees to sign in with their SSO credentials to set up a new Mac (note that this does not bind your Mac login to your SSO login, learn more here). We are looking forward to supporting Enrollment Customization in the future, but we chose to prioritize building support for SSO for admins first as it was highly requested as an important security measure for many of our customers.
New Self Service features
Thank you to all of our customers for your feedback on Self Service; we want to make it a portal for you to customize and leverage to best support your end users – so keep those feature requests coming!
With last week’s agent update, we released several new logic enhancements to make Self Service a more seamless experience:
- The install status of all items is checked when launching Self Service.
- If an app is installed, the default button becomes Open, which can be used to open the app.
- If an older version of the app is installed, the button appears as Update, which can be used to update the app.
- A contextual … button appears when hovering over installed items in the main view, and Activity.
- This menu contains options to reinstall, show the item in Finder, or open various links related to the app, including app-specific support sites.
- App Store apps have the option to view the app directly in the App Store, without opening a web browser.
As of today’s release, we’ve also added new workflows to the Self Service section in the Kandji web app, including the ability to delete categories within the UI, and a prompt to reassign its associated apps and tools to a new category.
For more information, read our Self Service knowledge base article.
Automatic Rosetta 2 installation for Auto Apps
When an Auto App requires Rosetta in order to run on an M1 Mac computer, you will see the below warning on the Library item. In this event, the Kandji Agent will automatically check for and install Rosetta 2 as needed. Please note that these banners may be removed without notice as developers shift to universal 2 binaries.
With innovation and iteration at the core of everything we do, we’re constantly building solutions to give you more of what you need and improve upon features you already love. With Kandji, you can be confident that your Apple fleet is in safe and secure hands from deployment to retirement.